Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

About blank[RESOLVED]

BillNich

Posted 15 May 2005 - 09:50 PM

BillNich

New Member

Member

6 posts

Here are my logs. I developed this problem when I downloaded Norton 2005 as an upgrade from their website. ??Coincidence?? I was unable to fix this with any earlier steps. Ewido has been active frequently, blocking trojans it says.

Help.

I have Zone alarm as a firewall, but it hasn't been helping. Thanks for your help.

Advertisements

Crustyoldbloke

Posted 17 May 2005 - 01:34 PM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello Bill (BillNich) and welcome to Geeks to Go.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

I don’t think that I would like to comment as to where you got this infection, but you certainly are infected; you have the Extra Service CWS variant. Now if you are ready, let’s get fixing!

I just want to check a couple of points with you. Please ensure you have administrator rights on this PC (User Accounts in the Control Panel will confirm this), and that this is a single identity PC, if not please inform me in your next reply.

You are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else!

The first job is to disable Ewido from running in real time; it may hinder our attempts to fix some problems. I am not sure if you can do this from the task bar icon or the programme itself, but it will be an option.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Go to Start>Run and type Services.msc then hit OkScroll down and find the below services:

Remote Procedure Call (RPC) Helper ( 11Fßä #•ºÄÖ`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter the below item into that field (copy and paste):

11Fßä #•ºÄÖ`I

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Next stage after reboot.

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about.

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Viewpoint ManagerWild Tangent

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\WildTangent\C:\Program Files\Viewpoint\

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\atlvt.exeC:\WINDOWS\wrdel.dllC:\WINDOWS\system32\d3pi32.dllC:\WINDOWS\system32\apptj32.exeC:\WINDOWS\system32\appxq.exeALCXMNTR.EXEuse the search feature to locate this file

Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

BillNich

Posted 18 May 2005 - 07:04 PM

BillNich

New Member

Topic Starter

Member

6 posts

I hope this message is in the right spot now and continuing the thread. Here are my logs after running through the steps. When I tried to run Hoster, I got an I/O error 32 message. I deleted any of the files that you listed that I could find. In the Add/Remove programs step I'm not sure about Python 2.2.1 and a family of S3 programs (S3 Display, S3Info2, etc.). When I tried to delte files I used the search feature, as I'm not sure what Windows Explorer is.

Thanks again for your help. If I didn't post this correctly please give me a hint. Thanks.

Crustyoldbloke

Posted 19 May 2005 - 03:16 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello again Bill

Before we get under way, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URL s are hyper links in the red names shown on your screen.

You’re doing just fine, and most of the nasties are gone. With all the excitement, you forgot to tell me the answer to this question: Does the name EasyStreet Online Services of Beaverton, Oregon mean anything to you? I need to know since it appears in your log and being a limey, some 7,000 miles away, it means nothing to me.

Lets make life a little simpler for you and introduce Windows Explorer to you. Please go to Start>Programs>Accessories and then right click on Windows Explorer choose Send To >select Desktop (create shortcut)>left click.

Hopefully, you will now see the shortcut on your desktop, it looks like an open folder with a magnifying glass in front of it. Here’s the irony, this time I want you to use the search feature to find and delete a file. Here goes:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

BillNich

Posted 19 May 2005 - 10:22 PM

BillNich

New Member

Topic Starter

Member

6 posts

Hello again,

Thanks again for all your help it seems to be getting closer. First Easystreet is a local ISP. I don't think I ever had an account with them but they may have bought Teleport. Teleport was an early ISP here and I had a dial up account with them for a number of years.

Before this last try, the computer was pretty good. The home page would go blank daily, but once reset would stay that way until sometime overnight. There was still some internet contact that Zone Alarm was blocking. Thanks for the advice on Windows Explorer. I had been using it but not realizing it was Windows explorer. I I delelted the two entries in HJT and could not find the file ALCXMNTR.EXE

Since others may have missed a reply to you I wanted to mention Stopzilla. It helped a lot. It didn't get everything but made it possible to use most of the computer. Hopefully this last step has done the trick. I have a lot of anti-virus, anti-spyware, and firewall stuff now. My temptation would be to add about 100 more after this experience, however I hear you can have too many or they can interfere. Do I have too many now?

That is it, and I'll wager that the next log will be clean, but to answer your question about spyware security. You are quite right that real-time detection/prevention programmes are best run solo and not in tandem.

Your set-up looks about right. I personally run the Microsoft Antispyware and think it is an excellent programme and I look forward to the finished version promised for July 2005.

In addition to that, I also run Ad-Aware and Spybot about once a week, just as a final check. Please note that they are both on-demand scanners and therefore do not conflict with a real-time programme.

BillNich

Posted 21 May 2005 - 10:10 AM

BillNich

New Member

Topic Starter

Member

6 posts

Good morning.

I eliminated the three files in HJT. I waited until this morning to see what would happen with the home page. It still comes up http:/// . It is easily changed to my usual home page and then is fine for the rest of the day. Irritating but not incapacitating. Is there a way to get rid of that?

At some point I was looking at a screen that had something to do with my Ping status. It was open. Should that be closed?

Crustyoldbloke

Posted 21 May 2005 - 10:58 AM

It’s looking a lot better all for one errant line, and I can’t see where it came from. Let’s just try fixing it again, but if it comes back we’ll have to look for hidden treasures within your PC.

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and choose shutdown Microsoft Antispyware

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot

Post back a fresh HijackThis log and I will take another look.

The “Ping” is more to do with Firewalls and ports than anything else. I note you have Zone Alarm installed, which is good. You may be aware that Windows XP also has a built-in firewall that just needs to be activated. You’ll find it in the Control Panel.

Now here’s a little experiment for you to try. Check the status of the Windows Firewall, ensure it is enabled and got to http://www.grc.com follow the links for Shields-Up and have your firewall tested for stealth ability. Now disable the Windows Firewall and do the same again. Finally, enable Windows Firewall and disable Zone Alarm and repeat the exercise.

If the result was similar throughout, then I would disable Zone Alarm.

Please ensure you do this little exercise before you post back your HJT log just in case it impacts upon it

Crustyoldbloke

Posted 21 May 2005 - 02:31 PM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

Crustyoldbloke

Posted 22 May 2005 - 03:47 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello Bill

Since you've had this I/O error 32 message, when attempting to run Hoster, I thought it might be worth just checking over your system files. You'll be glad to hear that there is an automated way in which to do this.

Here's what you do to run the system file checker. Open a command prompt (Start -> Run - type CMD and hit enter). Type in SFC /SCANNOW (note the space after SFC) and hit enter. You'll need your XP disc handy.

This will check all your system files and replace any which are different from the original Microsoft versions.